2 * Routines for HTTP packet disassembly
6 * Guy Harris <guy@alum.mit.edu>
8 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
9 * Copyright 2002, Tim Potter <tpot@samba.org>
10 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
14 * Wireshark - Network traffic analyzer
15 * By Gerald Combs <gerald@wireshark.org>
16 * Copyright 1998 Gerald Combs
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
41 #include <epan/conversation.h>
42 #include <epan/packet.h>
43 #include <epan/strutil.h>
44 #include <epan/base64.h>
45 #include <epan/emem.h>
46 #include <epan/stats_tree.h>
47 #include <epan/ws_strsplit.h>
49 #include <epan/req_resp_hdrs.h>
50 #include "packet-http.h"
51 #include "packet-tcp.h"
52 #include "packet-ssl.h"
53 #include <epan/prefs.h>
54 #include <epan/expert.h>
56 typedef enum _http_type {
65 #ifdef NEED_G_ASCII_STRCASECMP_H
66 #include "g_ascii_strcasecmp.h"
69 static int http_tap = -1;
70 static int http_eo_tap = -1;
72 static int proto_http = -1;
73 static int hf_http_notification = -1;
74 static int hf_http_response = -1;
75 static int hf_http_request = -1;
76 static int hf_http_basic = -1;
77 static int hf_http_request_method = -1;
78 static int hf_http_request_uri = -1;
79 static int hf_http_version = -1;
80 static int hf_http_response_code = -1;
81 static int hf_http_authorization = -1;
82 static int hf_http_proxy_authenticate = -1;
83 static int hf_http_proxy_authorization = -1;
84 static int hf_http_proxy_connect_host = -1;
85 static int hf_http_proxy_connect_port = -1;
86 static int hf_http_www_authenticate = -1;
87 static int hf_http_content_type = -1;
88 static int hf_http_content_length = -1;
89 static int hf_http_content_encoding = -1;
90 static int hf_http_transfer_encoding = -1;
91 static int hf_http_user_agent = -1;
92 static int hf_http_host = -1;
93 static int hf_http_connection = -1;
94 static int hf_http_cookie = -1;
95 static int hf_http_accept = -1;
96 static int hf_http_referer = -1;
97 static int hf_http_accept_language = -1;
98 static int hf_http_accept_encoding = -1;
99 static int hf_http_date = -1;
100 static int hf_http_cache_control = -1;
101 static int hf_http_server = -1;
102 static int hf_http_location = -1;
103 static int hf_http_set_cookie = -1;
104 static int hf_http_last_modified = -1;
105 static int hf_http_x_forwarded_for = -1;
107 static gint ett_http = -1;
108 static gint ett_http_ntlmssp = -1;
109 static gint ett_http_request = -1;
110 static gint ett_http_chunked_response = -1;
111 static gint ett_http_chunk_data = -1;
112 static gint ett_http_encoded_entity = -1;
114 static dissector_handle_t data_handle;
115 static dissector_handle_t media_handle;
116 static dissector_handle_t http_handle;
119 * desegmentation of HTTP headers
120 * (when we are over TCP or another protocol providing the desegmentation API)
122 static gboolean http_desegment_headers = TRUE;
125 * desegmentation of HTTP bodies
126 * (when we are over TCP or another protocol providing the desegmentation API)
127 * TODO let the user filter on content-type the bodies he wants desegmented
129 static gboolean http_desegment_body = TRUE;
132 * De-chunking of content-encoding: chunk entity bodies.
134 static gboolean http_dechunk_body = TRUE;
137 * Decompression of zlib encoded entities.
140 static gboolean http_decompress_body = TRUE;
142 static gboolean http_decompress_body = FALSE;
145 #define TCP_PORT_HTTP 80
146 #define TCP_PORT_PROXY_HTTP 3128
147 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
148 #define TCP_ALT_PORT_HTTP 8080
149 #define TCP_RADAN_HTTP 8088
150 #define TCP_PORT_HKP 11371
151 #define TCP_PORT_DAAP 3689
154 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
156 #define TCP_PORT_SSDP 1900
157 #define UDP_PORT_SSDP 1900
163 #define TCP_DEFAULT_RANGE "80,3128,3132,8080,8088,11371,3689,1900"
164 #define SSL_DEFAULT_RANGE "443"
166 static range_t *global_http_tcp_range = NULL;
167 static range_t *global_http_ssl_range = NULL;
169 static range_t *http_tcp_range = NULL;
170 static range_t *http_ssl_range = NULL;
174 * Protocols implemented atop HTTP.
177 PROTO_HTTP, /* just HTTP */
178 PROTO_SSDP, /* Simple Service Discovery Protocol */
179 PROTO_DAAP /* Digital Audio Access Protocol */
182 typedef void (*ReqRespDissector)(tvbuff_t*, proto_tree*, int, const guchar*,
183 const guchar*, http_conv_t *);
186 * Structure holding information from headers needed by main
187 * HTTP dissector code.
191 char *content_type_parameters;
192 gboolean have_content_length;
193 long content_length; /* XXX - make it 64-bit? */
194 char *content_encoding;
195 char *transfer_encoding;
198 static int is_http_request_or_reply(const gchar *data, int linelen,
199 http_type_t *type, ReqRespDissector
200 *reqresp_dissector, http_conv_t *conv_data);
201 static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
202 proto_tree *tree, int offset);
203 static void process_header(tvbuff_t *tvb, int offset, int next_offset,
204 const guchar *line, int linelen, int colon_offset, packet_info *pinfo,
205 proto_tree *tree, headers_t *eh_ptr, http_conv_t *conv_data);
206 static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
207 static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
208 packet_info *pinfo, gchar *value);
209 static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
212 static dissector_table_t port_subdissector_table;
213 static dissector_table_t media_type_subdissector_table;
214 static heur_dissector_list_t heur_subdissector_list;
216 static dissector_handle_t ntlmssp_handle=NULL;
217 static dissector_handle_t gssapi_handle=NULL;
219 static const value_string vals_status_code[] = {
221 { 101, "Switching Protocols" },
222 { 102, "Processing" },
223 { 199, "Informational - Others" },
228 { 203, "Non-authoritative Information"},
229 { 204, "No Content"},
230 { 205, "Reset Content"},
231 { 206, "Partial Content"},
232 { 207, "Multi-Status"},
233 { 299, "Success - Others"},
235 { 300, "Multiple Choices"},
236 { 301, "Moved Permanently"},
239 { 304, "Not Modified"},
241 { 307, "Temporary Redirect"},
242 { 399, "Redirection - Others"},
244 { 400, "Bad Request"},
245 { 401, "Unauthorized"},
246 { 402, "Payment Required"},
249 { 405, "Method Not Allowed"},
250 { 406, "Not Acceptable"},
251 { 407, "Proxy Authentication Required"},
252 { 408, "Request Time-out"},
255 { 411, "Length Required"},
256 { 412, "Precondition Failed"},
257 { 413, "Request Entity Too Large"},
258 { 414, "Request-URI Too Long"},
259 { 415, "Unsupported Media Type"},
260 { 416, "Requested Range Not Satisfiable"},
261 { 417, "Expectation Failed"},
262 { 422, "Unprocessable Entity"},
264 { 424, "Failed Dependency"},
265 { 499, "Client Error - Others"},
267 { 500, "Internal Server Error"},
268 { 501, "Not Implemented"},
269 { 502, "Bad Gateway"},
270 { 503, "Service Unavailable"},
271 { 504, "Gateway Time-out"},
272 { 505, "HTTP Version not supported"},
273 { 507, "Insufficient Storage"},
274 { 599, "Server Error - Others"},
279 static const gchar* st_str_reqs = "HTTP Requests by Server";
280 static const gchar* st_str_reqs_by_srv_addr = "HTTP Requests by Server Address";
281 static const gchar* st_str_reqs_by_http_host = "HTTP Requests by HTTP Host";
282 static const gchar* st_str_resps_by_srv_addr = "HTTP Responses by Server Address";
284 static int st_node_reqs = -1;
285 static int st_node_reqs_by_srv_addr = -1;
286 static int st_node_reqs_by_http_host = -1;
287 static int st_node_resps_by_srv_addr = -1;
289 /* HTTP/Load Distribution stats init function */
290 static void http_reqs_stats_tree_init(stats_tree* st) {
291 st_node_reqs = stats_tree_create_node(st, st_str_reqs, 0, TRUE);
292 st_node_reqs_by_srv_addr = stats_tree_create_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
293 st_node_reqs_by_http_host = stats_tree_create_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
294 st_node_resps_by_srv_addr = stats_tree_create_node(st, st_str_resps_by_srv_addr, 0, TRUE);
297 /* HTTP/Load Distribution stats packet function */
298 static int http_reqs_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p) {
299 const http_info_value_t* v = p;
300 int reqs_by_this_host;
301 int reqs_by_this_addr;
302 int resps_by_this_addr;
303 int i = v->response_code;
304 static gchar ip_str[256];
307 if (v->request_method) {
308 g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->dst));
310 tick_stat_node(st, st_str_reqs, 0, FALSE);
311 tick_stat_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
312 tick_stat_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
313 reqs_by_this_addr = tick_stat_node(st, ip_str, st_node_reqs_by_srv_addr, TRUE);
316 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_reqs_by_http_host, TRUE);
317 tick_stat_node(st, ip_str, reqs_by_this_host, FALSE);
319 tick_stat_node(st, v->http_host, reqs_by_this_addr, FALSE);
325 g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->src));
327 tick_stat_node(st, st_str_resps_by_srv_addr, 0, FALSE);
328 resps_by_this_addr = tick_stat_node(st, ip_str, st_node_resps_by_srv_addr, TRUE);
330 if ( (i>100)&&(i<400) ) {
331 tick_stat_node(st, "OK", resps_by_this_addr, FALSE);
333 tick_stat_node(st, "KO", resps_by_this_addr, FALSE);
343 static int st_node_requests_by_host = -1;
344 static const guint8* st_str_requests_by_host = "HTTP Requests by HTTP Host";
346 /* HTTP/Requests stats init function */
347 static void http_req_stats_tree_init(stats_tree* st) {
348 st_node_requests_by_host = stats_tree_create_node(st, st_str_requests_by_host, 0, TRUE);
351 /* HTTP/Requests stats packet function */
352 static int http_req_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) {
353 const http_info_value_t* v = p;
354 int reqs_by_this_host;
356 if (v->request_method) {
357 tick_stat_node(st, st_str_requests_by_host, 0, FALSE);
360 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_requests_by_host, TRUE);
362 if (v->request_uri) {
363 tick_stat_node(st, v->request_uri, reqs_by_this_host, TRUE);
373 static const guint8* st_str_packets = "Total HTTP Packets";
374 static const guint8* st_str_requests = "HTTP Request Packets";
375 static const guint8* st_str_responses = "HTTP Response Packets";
376 static const guint8* st_str_resp_broken = "???: broken";
377 static const guint8* st_str_resp_100 = "1xx: Informational";
378 static const guint8* st_str_resp_200 = "2xx: Success";
379 static const guint8* st_str_resp_300 = "3xx: Redirection";
380 static const guint8* st_str_resp_400 = "4xx: Client Error";
381 static const guint8* st_str_resp_500 = "5xx: Server Error";
382 static const guint8* st_str_other = "Other HTTP Packets";
384 static int st_node_packets = -1;
385 static int st_node_requests = -1;
386 static int st_node_responses = -1;
387 static int st_node_resp_broken = -1;
388 static int st_node_resp_100 = -1;
389 static int st_node_resp_200 = -1;
390 static int st_node_resp_300 = -1;
391 static int st_node_resp_400 = -1;
392 static int st_node_resp_500 = -1;
393 static int st_node_other = -1;
396 /* HTTP/Packet Counter stats init function */
397 static void http_stats_tree_init(stats_tree* st) {
398 st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE);
399 st_node_requests = stats_tree_create_pivot(st, st_str_requests, st_node_packets);
400 st_node_responses = stats_tree_create_node(st, st_str_responses, st_node_packets, TRUE);
401 st_node_resp_broken = stats_tree_create_node(st, st_str_resp_broken, st_node_responses, TRUE);
402 st_node_resp_100 = stats_tree_create_node(st, st_str_resp_100, st_node_responses, TRUE);
403 st_node_resp_200 = stats_tree_create_node(st, st_str_resp_200, st_node_responses, TRUE);
404 st_node_resp_300 = stats_tree_create_node(st, st_str_resp_300, st_node_responses, TRUE);
405 st_node_resp_400 = stats_tree_create_node(st, st_str_resp_400, st_node_responses, TRUE);
406 st_node_resp_500 = stats_tree_create_node(st, st_str_resp_500, st_node_responses, TRUE);
407 st_node_other = stats_tree_create_node(st, st_str_other, st_node_packets,FALSE);
410 /* HTTP/Packet Counter stats packet function */
411 static int http_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) {
412 const http_info_value_t* v = p;
413 guint i = v->response_code;
415 const guint8* resp_str;
416 static gchar str[64];
418 tick_stat_node(st, st_str_packets, 0, FALSE);
421 tick_stat_node(st, st_str_responses, st_node_packets, FALSE);
423 if ( (i<100)||(i>=600) ) {
424 resp_grp = st_node_resp_broken;
425 resp_str = st_str_resp_broken;
427 resp_grp = st_node_resp_100;
428 resp_str = st_str_resp_100;
430 resp_grp = st_node_resp_200;
431 resp_str = st_str_resp_200;
433 resp_grp = st_node_resp_300;
434 resp_str = st_str_resp_300;
436 resp_grp = st_node_resp_400;
437 resp_str = st_str_resp_400;
439 resp_grp = st_node_resp_500;
440 resp_str = st_str_resp_500;
443 tick_stat_node(st, resp_str, st_node_responses, FALSE);
445 g_snprintf(str, sizeof(str),"%u %s",i,match_strval(i,vals_status_code));
446 tick_stat_node(st, str, resp_grp, FALSE);
447 } else if (v->request_method) {
448 stats_tree_tick_pivot(st,st_node_requests,v->request_method);
450 tick_stat_node(st, st_str_other, st_node_packets, FALSE);
456 /* Return a tvb that contains the binary representation of a base64
460 base64_to_tvb(const char *base64)
463 char *data = g_strdup(base64);
466 len = epan_base64_decode(data);
467 tvb = tvb_new_real_data((const guint8 *)data, len, len);
469 tvb_set_free_cb(tvb, g_free);
475 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
478 tvbuff_t *ntlmssp_tvb;
480 ntlmssp_tvb = base64_to_tvb(line);
481 tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
482 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP / GSSAPI Data");
483 if (tvb_strneql(ntlmssp_tvb, 0, "NTLMSSP", 7) == 0)
484 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
486 call_dissector(gssapi_handle, ntlmssp_tvb, pinfo, tree);
490 get_http_conversation_data(packet_info *pinfo)
492 conversation_t *conversation;
493 http_conv_t *conv_data;
495 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
497 if(!conversation) { /* Conversation does not exist yet - create it */
498 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
501 /* Retrieve information from conversation
502 * or add it if it isn't there yet
504 conv_data = conversation_get_proto_data(conversation, proto_http);
506 /* Setup the conversation structure itself */
507 conv_data = se_alloc(sizeof(http_conv_t));
509 conv_data->response_code = 0;
510 conv_data->request_method = NULL;
511 conv_data->request_uri = NULL;
512 conv_data->startframe = 0;
514 conversation_add_proto_data(conversation, proto_http,
522 * TODO: remove this ugly global variable.
523 * XXX: do we really want to have to pass this from one function to another?
525 static http_info_value_t *stat_info;
528 dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
529 proto_tree *tree, http_conv_t *conv_data)
532 const char *proto_tag;
533 proto_tree *http_tree = NULL;
534 proto_item *ti = NULL;
537 const guchar *linep, *lineend;
539 int first_linelen, linelen;
540 gboolean is_request_or_reply;
541 gboolean saw_req_resp_or_header;
543 http_type_t http_type;
544 proto_item *hdr_item = NULL;
545 ReqRespDissector reqresp_dissector;
546 proto_tree *req_tree;
550 int reported_datalen = -1;
551 dissector_handle_t handle;
554 /*http_info_value_t *si;*/
558 * Is this a request or response?
560 * Note that "tvb_find_line_end()" will return a value that
561 * is not longer than what's in the buffer, so the
562 * "tvb_get_ptr()" call won't throw an exception.
564 first_linelen = tvb_find_line_end(tvb, offset,
565 tvb_ensure_length_remaining(tvb, offset), &next_offset,
568 * Is the first line a request or response?
570 line = tvb_get_ptr(tvb, offset, first_linelen);
571 http_type = HTTP_OTHERS; /* type not known yet */
572 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
573 first_linelen, &http_type, NULL, conv_data);
574 if (is_request_or_reply) {
576 * Yes, it's a request or response.
577 * Do header desegmentation if we've been told to,
578 * and do body desegmentation if we've been told to and
579 * we find a Content-Length header.
581 if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
582 http_desegment_headers, http_desegment_body)) {
584 * More data needed for desegmentation.
590 stat_info = ep_alloc(sizeof(http_info_value_t));
591 stat_info->framenum = pinfo->fd->num;
592 stat_info->response_code = 0;
593 stat_info->request_method = NULL;
594 stat_info->request_uri = NULL;
595 stat_info->http_host = NULL;
597 switch (pinfo->match_port) {
599 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
615 if (check_col(pinfo->cinfo, COL_PROTOCOL))
616 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
617 if (check_col(pinfo->cinfo, COL_INFO)) {
619 * Put the first line from the buffer into the summary
620 * if it's an HTTP request or reply (but leave out the
622 * Otherwise, just call it a continuation.
624 * Note that "tvb_find_line_end()" will return a value that
625 * is not longer than what's in the buffer, so the
626 * "tvb_get_ptr()" call won't throw an exception.
628 if (is_request_or_reply) {
629 line = tvb_get_ptr(tvb, offset, first_linelen);
630 col_add_str(pinfo->cinfo, COL_INFO, format_text(line, first_linelen));
633 col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non-HTTP traffic");
636 orig_offset = offset;
638 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
640 http_tree = proto_item_add_subtree(ti, ett_http);
644 * Process the packet data, a line at a time.
646 http_type = HTTP_OTHERS; /* type not known yet */
647 headers.content_type = NULL; /* content type not known yet */
648 headers.content_type_parameters = NULL; /* content type parameters too */
649 headers.have_content_length = FALSE; /* content length not known yet */
650 headers.content_length = 0; /* content length set to 0 (avoid a gcc warning) */
651 headers.content_encoding = NULL; /* content encoding not known yet */
652 headers.transfer_encoding = NULL; /* transfer encoding not known yet */
653 saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
654 while (tvb_reported_length_remaining(tvb, offset) != 0) {
656 * Find the end of the line.
657 * XXX - what if we don't find it because the packet
658 * is cut short by a snapshot length or the header is
659 * split across TCP segments? How much dissection should
662 linelen = tvb_find_line_end(tvb, offset,
663 tvb_ensure_length_remaining(tvb, offset), &next_offset,
669 * Get a buffer that refers to the line.
671 line = tvb_get_ptr(tvb, offset, linelen);
672 lineend = line + linelen;
676 * OK, does it look like an HTTP request or response?
678 reqresp_dissector = NULL;
679 is_request_or_reply =
680 is_http_request_or_reply((const gchar *)line,
681 linelen, &http_type, &reqresp_dissector, conv_data);
682 if (is_request_or_reply)
686 * No. Does it look like a blank line (as would appear
687 * at the end of an HTTP request)?
690 goto is_http; /* Yes. */
693 * No. Does it look like a header?
696 colon_offset = offset;
697 while (linep < lineend) {
701 * This must be a CHAR to be part of a token; that
702 * means it must be ASCII.
705 break; /* not ASCII, thus not a CHAR */
708 * This mustn't be a CTL to be part of a token.
710 * XXX - what about leading LWS on continuation
714 break; /* CTL, not part of a header */
717 * This mustn't be a SEP to be part of a token;
718 * a ':' ends the token, everything else is an
719 * indication that this isn't a header.
741 * It's a separator, so it's not part of a
742 * token, so it's not a field name for the
743 * beginning of a header.
745 * (We don't have to check for HT; that's
746 * already been ruled out by "iscntrl()".)
752 * This ends the token; we consider this
764 * We haven't seen the colon, but everything else looks
765 * OK for a header line.
767 * If we've already seen an HTTP request or response
768 * line, or a header line, and we're at the end of
769 * the tvbuff, we assume this is an incomplete header
770 * line. (We quit this loop after seeing a blank line,
771 * so if we've seen a request or response line, or a
772 * header line, this is probably more of the request
773 * or response we're presumably seeing. There is some
774 * risk of false positives, but the same applies for
775 * full request or response lines or header lines,
776 * although that's less likely.)
778 * We throw an exception in that case, by checking for
779 * the existence of the next byte after the last one
780 * in the line. If it exists, "tvb_ensure_bytes_exist()"
781 * throws no exception, and we fall through to the
782 * "not HTTP" case. If it doesn't exist,
783 * "tvb_ensure_bytes_exist()" will throw the appropriate
786 if (saw_req_resp_or_header)
787 tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
791 * We don't consider this part of an HTTP request or
792 * reply, so we don't display it.
793 * (Yeah, that means we don't display, say, a text/http
794 * page, but you can get that from the data pane.)
804 * This is a blank line, which means that
805 * whatever follows it isn't part of this
808 proto_tree_add_text(http_tree, tvb, offset,
809 next_offset - offset, "%s",
810 tvb_format_text(tvb, offset, next_offset - offset));
811 offset = next_offset;
816 * Not a blank line - either a request, a reply, or a header
819 saw_req_resp_or_header = TRUE;
820 if (is_request_or_reply) {
821 char *text = tvb_format_text(tvb, offset, next_offset - offset);
823 hdr_item = proto_tree_add_text(http_tree, tvb,
824 offset, next_offset - offset, "%s", text);
826 expert_add_info_format(pinfo, hdr_item, PI_SEQUENCE, PI_CHAT, "%s", text);
827 if (reqresp_dissector) {
828 if (tree) req_tree = proto_item_add_subtree(hdr_item, ett_http_request);
829 else req_tree = NULL;
831 reqresp_dissector(tvb, req_tree, offset, line,
839 process_header(tvb, offset, next_offset, line, linelen,
840 colon_offset, pinfo, http_tree, &headers, conv_data);
842 offset = next_offset;
848 case HTTP_NOTIFICATION:
849 proto_tree_add_boolean_hidden(http_tree,
850 hf_http_notification, tvb, 0, 0, 1);
854 proto_tree_add_boolean_hidden(http_tree,
855 hf_http_response, tvb, 0, 0, 1);
859 proto_tree_add_boolean_hidden(http_tree,
860 hf_http_request, tvb, 0, 0, 1);
870 * If a content length was supplied, the amount of data to be
871 * processed as HTTP payload is the minimum of the content
872 * length and the amount of data remaining in the frame.
874 * If no content length was supplied (or if a bad content length
875 * was supplied), the amount of data to be processed is the amount
876 * of data remaining in the frame.
878 * If there was no Content-Length entity header, we should
879 * accumulate all data until the end of the connection.
880 * That'd require that the TCP dissector call subdissectors
881 * for all frames with FIN, even if they contain no data,
882 * which would require subdissectors to deal intelligently
883 * with empty segments.
885 * Acccording to RFC 2616, however, 1xx responses, 204 responses,
886 * and 304 responses MUST NOT include a message body; if no
887 * content length is specified for them, we don't attempt to
890 * XXX - it says the same about responses to HEAD requests;
891 * unless there's a way to determine from the response
892 * whether it's a response to a HEAD request, we have to
893 * keep information about the request and associate that with
894 * the response in order to handle that.
896 datalen = tvb_length_remaining(tvb, offset);
897 if (headers.have_content_length && headers.content_length != -1) {
898 if (datalen > headers.content_length)
899 datalen = headers.content_length;
902 * XXX - limit the reported length in the tvbuff we'll
903 * hand to a subdissector to be no greater than the
906 * We really need both unreassembled and "how long it'd
907 * be if it were reassembled" lengths for tvbuffs, so
908 * that we throw the appropriate exceptions for
909 * "not enough data captured" (running past the length),
910 * "packet needed reassembly" (within the length but
911 * running past the unreassembled length), and
912 * "packet is malformed" (running past the reassembled
915 reported_datalen = tvb_reported_length_remaining(tvb, offset);
916 if (reported_datalen > headers.content_length)
917 reported_datalen = headers.content_length;
923 * Requests have no content if there's no
924 * Content-Length header and no Transfer-Encoding
927 if (headers.transfer_encoding == NULL)
930 reported_datalen = -1;
934 if ((stat_info->response_code/100) == 1 ||
935 stat_info->response_code == 204 ||
936 stat_info->response_code == 304)
937 datalen = 0; /* no content! */
940 * XXX - responses to HEAD requests,
941 * and possibly other responses,
942 * "MUST NOT" include a
945 reported_datalen = -1;
951 * XXX - what about HTTP_NOTIFICATION?
953 reported_datalen = -1;
960 * There's stuff left over; process it.
963 void *save_private_data = NULL;
964 gint chunks_decoded = 0;
967 * Create a tvbuff for the payload.
969 * The amount of data to be processed that's
970 * available in the tvbuff is "datalen", which
971 * is the minimum of the amount of data left in
972 * the tvbuff and any specified content length.
974 * The amount of data to be processed that's in
975 * this frame, regardless of whether it was
976 * captured or not, is "reported_datalen",
977 * which, if no content length was specified,
978 * is -1, i.e. "to the end of the frame.
980 next_tvb = tvb_new_subset(tvb, offset, datalen,
983 * BEWARE - next_tvb is a subset of another tvb,
984 * so we MUST NOT attempt tvb_free(next_tvb);
988 * Handle *transfer* encodings other than "identity".
990 if (headers.transfer_encoding != NULL &&
991 g_ascii_strcasecmp(headers.transfer_encoding, "identity") != 0) {
992 if (http_dechunk_body &&
993 (g_ascii_strncasecmp(headers.transfer_encoding, "chunked", 7)
996 chunks_decoded = chunked_encoding_dissector(
997 &next_tvb, pinfo, http_tree, 0);
999 if (chunks_decoded <= 0) {
1001 * The chunks weren't reassembled,
1002 * or there was a single zero
1005 goto body_dissected;
1008 * Add a new data source for the
1011 tvb_set_child_real_data_tvbuff(tvb,
1013 add_new_data_source(pinfo, next_tvb,
1014 "De-chunked entity body");
1018 * We currently can't handle, for example,
1019 * "gzip", "compress", or "deflate" as
1020 * *transfer* encodings; just handle them
1023 call_dissector(data_handle, next_tvb, pinfo,
1025 goto body_dissected;
1029 * At this point, any chunked *transfer* coding has been removed
1030 * (the entity body has been dechunked) so it can be presented
1031 * for the following operation (*content* encoding), or it has
1032 * been been handed off to the data dissector.
1034 * Handle *content* encodings other than "identity" (which
1035 * shouldn't appear in a Content-Encoding header, but
1036 * we handle it in any case).
1038 if (headers.content_encoding != NULL &&
1039 g_ascii_strcasecmp(headers.content_encoding, "identity") != 0) {
1041 * We currently can't handle, for example, "compress";
1042 * just handle them as data for now.
1044 * After July 7, 2004 the LZW patent expires, so support
1045 * might be added then. However, I don't think that
1046 * anybody ever really implemented "compress", due to
1047 * the aforementioned patent.
1049 tvbuff_t *uncomp_tvb = NULL;
1050 proto_item *e_ti = NULL;
1051 proto_tree *e_tree = NULL;
1053 if (http_decompress_body &&
1054 (g_ascii_strcasecmp(headers.content_encoding, "gzip") == 0 ||
1055 g_ascii_strcasecmp(headers.content_encoding, "deflate")
1058 uncomp_tvb = tvb_uncompress(next_tvb, 0,
1059 tvb_length(next_tvb));
1063 * Add the encoded entity to the protocol tree
1065 e_ti = proto_tree_add_text(http_tree, next_tvb,
1066 0, tvb_length(next_tvb),
1067 "Content-encoded entity body (%s): %u bytes",
1068 headers.content_encoding,
1069 tvb_length(next_tvb));
1070 e_tree = proto_item_add_subtree(e_ti,
1071 ett_http_encoded_entity);
1073 if (uncomp_tvb != NULL) {
1075 * Decompression worked
1078 /* XXX - Don't free this, since it's possible
1079 * that the data was only partially
1080 * decompressed, such as when desegmentation
1085 proto_item_append_text(e_ti, " -> %u bytes", tvb_length(uncomp_tvb));
1086 next_tvb = uncomp_tvb;
1087 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1088 add_new_data_source(pinfo, next_tvb,
1089 "Uncompressed entity body");
1091 call_dissector(data_handle, next_tvb, pinfo,
1094 goto body_dissected;
1098 * Note that a new data source is added for the entity body
1099 * only if it was content-encoded and/or transfer-encoded.
1102 /* Save values for the Export Object GUI feature if we have
1103 * an active listener to process it (which happens when
1104 * the export object window is open). */
1105 if(have_tap_listener(http_eo_tap)) {
1106 eo_info = ep_alloc(sizeof(http_eo_t));
1108 eo_info->hostname = conv_data->http_host;
1109 eo_info->filename = conv_data->request_uri;
1110 eo_info->content_type = headers.content_type;
1111 eo_info->payload_len = next_tvb->length;
1112 eo_info->payload_data = next_tvb->real_data;
1114 tap_queue_packet(http_eo_tap, pinfo, eo_info);
1118 * Do subdissector checks.
1120 * First, check whether some subdissector asked that they
1121 * be called if something was on some particular port.
1124 handle = dissector_get_port_handle(port_subdissector_table,
1126 if (handle == NULL && headers.content_type != NULL) {
1128 * We didn't find any subdissector that
1129 * registered for the port, and we have a
1130 * Content-Type value. Is there any subdissector
1131 * for that content type?
1133 save_private_data = pinfo->private_data;
1135 if (headers.content_type_parameters)
1136 pinfo->private_data = ep_strdup(headers.content_type_parameters);
1138 pinfo->private_data = NULL;
1140 * Calling the string handle for the media type
1141 * dissector table will set pinfo->match_string
1142 * to headers.content_type for us.
1144 pinfo->match_string = headers.content_type;
1145 handle = dissector_get_string_handle(
1146 media_type_subdissector_table,
1147 headers.content_type);
1149 if (handle != NULL) {
1151 * We have a subdissector - call it.
1153 dissected = call_dissector(handle, next_tvb, pinfo,
1157 * We don't have a subdissector - try the heuristic
1160 dissected = dissector_try_heuristic(
1161 heur_subdissector_list, next_tvb, pinfo, tree);
1165 * The subdissector dissected the body.
1166 * Fix up the top-level item so that it doesn't
1167 * include the stuff for that protocol.
1170 proto_item_set_len(ti, offset);
1172 if (headers.content_type != NULL) {
1174 * Calling the default media handle if there is a content-type that
1175 * wasn't handled above.
1177 call_dissector(media_handle, next_tvb, pinfo, tree);
1179 /* Call the default data dissector */
1180 call_dissector(data_handle, next_tvb, pinfo, http_tree);
1186 * Do *not* attempt at freeing the private data;
1187 * it may be in use by subdissectors.
1189 if (save_private_data)
1190 pinfo->private_data = save_private_data;
1192 * We've processed "datalen" bytes worth of data
1193 * (which may be no data at all); advance the
1194 * offset past whatever data we've processed.
1199 tap_queue_packet(http_tap, pinfo, stat_info);
1201 return offset - orig_offset;
1204 /* This can be used to dissect an HTTP request until such time
1205 * that a more complete dissector is written for that HTTP request.
1206 * This simple dissector only puts the request method, URI, and
1207 * protocol version into a sub-tree.
1210 basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1211 const guchar *line, const guchar *lineend,
1212 http_conv_t *conv_data)
1214 const guchar *next_token;
1218 /* The first token is the method. */
1219 tokenlen = get_token_len(line, lineend, &next_token);
1222 proto_tree_add_item(tree, hf_http_request_method, tvb, offset, tokenlen,
1224 offset += next_token - line;
1227 /* The next token is the URI. */
1228 tokenlen = get_token_len(line, lineend, &next_token);
1232 /* Save the request URI for various later uses */
1233 request_uri = (gchar *)tvb_get_ephemeral_string(tvb, offset, tokenlen);
1234 stat_info->request_uri = ep_strdup(request_uri);
1235 conv_data->request_uri = se_strdup(request_uri);
1237 proto_tree_add_string(tree, hf_http_request_uri, tvb, offset, tokenlen,
1239 offset += next_token - line;
1242 /* Everything to the end of the line is the version. */
1243 tokenlen = lineend - line;
1246 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1251 basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1252 const guchar *line, const guchar *lineend,
1253 http_conv_t *conv_data _U_)
1255 const guchar *next_token;
1257 gchar response_chars[4];
1259 /* The first token is the version. */
1260 tokenlen = get_token_len(line, lineend, &next_token);
1263 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1265 offset += next_token - line;
1268 /* The next token is the status code. */
1269 tokenlen = get_token_len(line, lineend, &next_token);
1272 memcpy(response_chars, line, 3);
1273 response_chars[3] = '\0';
1275 stat_info->response_code = conv_data->response_code =
1276 strtoul(response_chars, NULL, 10);
1278 proto_tree_add_uint(tree, hf_http_response_code, tvb, offset, 3,
1279 stat_info->response_code);
1283 * Dissect the http data chunks and add them to the tree.
1286 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
1287 proto_tree *tree, int offset)
1289 guint8 *chunk_string = NULL;
1290 guint32 chunk_size = 0;
1291 gint chunk_offset = 0;
1292 guint32 datalen = 0;
1294 gint chunks_decoded = 0;
1295 tvbuff_t *tvb = NULL;
1296 tvbuff_t *new_tvb = NULL;
1297 gint chunked_data_size = 0;
1298 proto_tree *subtree = NULL;
1299 proto_item *ti = NULL;
1301 if (tvb_ptr == NULL || *tvb_ptr == NULL) {
1307 datalen = tvb_reported_length_remaining(tvb, offset);
1310 ti = proto_tree_add_text(tree, tvb, offset, datalen,
1311 "HTTP chunked response");
1312 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
1316 while (datalen != 0) {
1317 proto_item *chunk_ti = NULL;
1318 proto_tree *chunk_subtree = NULL;
1319 tvbuff_t *data_tvb = NULL;
1324 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
1327 /* Can't get the chunk size line */
1331 chunk_string = tvb_get_ephemeral_string(tvb, offset, linelen);
1333 if (chunk_string == NULL) {
1334 /* Can't get the chunk size line */
1338 c = (gchar*) chunk_string;
1341 * We don't care about the extensions.
1343 if ((c = strchr(c, ';'))) {
1347 chunk_size = strtol((gchar*)chunk_string, NULL, 16);
1349 if (chunk_size > datalen) {
1351 * The chunk size is more than what's in the tvbuff,
1352 * so either the user hasn't enabled decoding, or all
1353 * of the segments weren't captured.
1355 chunk_size = datalen;
1358 else if (new_tvb == NULL) {
1359 new_tvb = tvb_new_composite();
1364 if (new_tvb != NULL && chunk_size != 0) {
1365 tvbuff_t *chunk_tvb = NULL;
1367 chunk_tvb = tvb_new_subset(tvb, chunk_offset,
1368 chunk_size, datalen);
1370 tvb_composite_append(new_tvb, chunk_tvb);
1375 chunked_data_size += chunk_size;
1377 raw_data = g_malloc(chunked_data_size);
1380 if (new_tvb != NULL) {
1381 raw_len = tvb_length_remaining(new_tvb, 0);
1382 tvb_memcpy(new_tvb, raw_data, 0, raw_len);
1387 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
1388 chunk_offset, chunk_size);
1390 /* Don't create a new tvb if we have a single chunk with
1391 * a size of zero (meaning it is the end of the chunks). */
1392 if(chunked_data_size > 0) {
1393 new_tvb = tvb_new_real_data(raw_data,
1394 chunked_data_size, chunked_data_size);
1395 tvb_set_free_cb(new_tvb, g_free);
1400 if(chunk_size == 0) {
1401 chunk_ti = proto_tree_add_text(subtree, tvb,
1403 chunk_offset - offset + chunk_size + 2,
1404 "End of chunked encoding");
1406 chunk_ti = proto_tree_add_text(subtree, tvb,
1408 chunk_offset - offset + chunk_size + 2,
1409 "Data chunk (%u octets)", chunk_size);
1412 chunk_subtree = proto_item_add_subtree(chunk_ti,
1413 ett_http_chunk_data);
1415 proto_tree_add_text(chunk_subtree, tvb, offset,
1416 chunk_offset - offset, "Chunk size: %u octets",
1419 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size,
1424 * XXX - just use "proto_tree_add_text()"?
1425 * This means that, in TShark, you get
1426 * the entire chunk dumped out in hex,
1427 * in addition to whatever dissection is
1428 * done on the reassembled data.
1430 call_dissector(data_handle, data_tvb, pinfo,
1433 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1434 chunk_size, 2, "Chunk boundary");
1438 offset = chunk_offset + chunk_size + 2;
1439 datalen = tvb_reported_length_remaining(tvb, offset);
1442 if (new_tvb != NULL) {
1444 /* Placeholder for the day that composite tvbuffer's will work.
1445 tvb_composite_finalize(new_tvb);
1446 / * tvb_set_reported_length(new_tvb, chunked_data_size); * /
1450 * XXX - Don't free this, since the tvbuffer that was passed
1451 * may be used if the data spans multiple frames and reassembly
1460 * We didn't create a new tvb, so don't allow sub dissectors
1461 * try to decode the non-existant entity body.
1463 chunks_decoded = -1;
1466 return chunks_decoded;
1470 /* Call a subdissector to handle HTTP CONNECT's traffic */
1472 http_payload_subdissector(tvbuff_t *tvb, proto_tree *tree,
1473 packet_info *pinfo, http_conv_t *conv_data)
1475 guint32 *ptr = NULL;
1476 guint32 dissect_as, saved_port;
1477 gchar **strings; /* An array for splitting the request URI into hostname and port */
1479 proto_tree *proxy_tree;
1481 /* Grab the destination port number from the request URI to find the right subdissector */
1482 strings = g_strsplit(conv_data->request_uri, ":", 2);
1484 if(strings[0] != NULL && strings[1] != NULL) {
1486 * The string was successfuly split in two
1487 * Create a proxy-connect subtree
1490 item = proto_tree_add_item(tree, proto_http, tvb, 0, -1, FALSE);
1491 proxy_tree = proto_item_add_subtree(item, ett_http);
1493 item = proto_tree_add_string(proxy_tree, hf_http_proxy_connect_host,
1494 tvb, 0, 0, strings[0]);
1495 PROTO_ITEM_SET_GENERATED(item);
1497 item = proto_tree_add_uint(proxy_tree, hf_http_proxy_connect_port,
1498 tvb, 0, 0, strtol(strings[1], NULL, 10) );
1499 PROTO_ITEM_SET_GENERATED(item);
1502 /* We're going to get stuck in a loop if we let process_tcp_payload call
1503 us, so call the data dissector instead for proxy connections to http ports. */
1504 dissect_as = (int)strtol(strings[1], NULL, 10); /* Convert string to a base-10 integer */
1506 if (value_is_in_range(http_tcp_range, dissect_as)) {
1507 call_dissector(data_handle, tvb, pinfo, tree);
1509 /* set pinfo->{src/dst port} and call the TCP sub-dissector lookup */
1510 if ( !ptr && value_is_in_range(http_tcp_range, pinfo->destport) )
1511 ptr = &pinfo->destport;
1513 ptr = &pinfo->srcport;
1515 /* Increase pinfo->can_desegment because we are traversing
1516 * http and want to preserve desegmentation functionality for
1517 * the proxied protocol
1519 if( pinfo->can_desegment>0 )
1520 pinfo->can_desegment++;
1524 decode_tcp_ports(tvb, 0, pinfo, tree,
1525 pinfo->srcport, pinfo->destport, NULL);
1529 g_strfreev(strings); /* Free the result of g_strsplit() above */
1535 * XXX - this won't handle HTTP 0.9 replies, but they're all data
1539 is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
1540 ReqRespDissector *reqresp_dissector,
1541 http_conv_t *conv_data)
1543 int isHttpRequestOrReply = FALSE;
1547 * From RFC 2774 - An HTTP Extension Framework
1549 * Support the command prefix that identifies the presence of
1550 * a "mandatory" header.
1552 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
1559 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
1560 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
1562 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
1565 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
1566 *type = HTTP_RESPONSE;
1567 isHttpRequestOrReply = TRUE; /* response */
1568 if (reqresp_dissector)
1569 *reqresp_dissector = basic_response_dissector;
1571 const guchar * ptr = (const guchar *)data;
1574 /* Look for the space following the Method */
1575 while (index < linelen) {
1584 /* Check the methods that have same length */
1588 if (strncmp(data, "GET", index) == 0 ||
1589 strncmp(data, "PUT", index) == 0) {
1590 *type = HTTP_REQUEST;
1591 isHttpRequestOrReply = TRUE;
1593 else if (strncmp(data, "ICY", index) == 0) {
1594 *type = HTTP_RESPONSE;
1595 isHttpRequestOrReply = TRUE;
1600 if (strncmp(data, "COPY", index) == 0 ||
1601 strncmp(data, "HEAD", index) == 0 ||
1602 strncmp(data, "LOCK", index) == 0 ||
1603 strncmp(data, "MOVE", index) == 0 ||
1604 strncmp(data, "POLL", index) == 0 ||
1605 strncmp(data, "POST", index) == 0) {
1606 *type = HTTP_REQUEST;
1607 isHttpRequestOrReply = TRUE;
1612 if (strncmp(data, "BCOPY", index) == 0 ||
1613 strncmp(data, "BMOVE", index) == 0 ||
1614 strncmp(data, "MKCOL", index) == 0 ||
1615 strncmp(data, "TRACE", index) == 0 ||
1616 strncmp(data, "LABEL", index) == 0 || /* RFC 3253 8.2 */
1617 strncmp(data, "MERGE", index) == 0) { /* RFC 3253 11.2 */
1618 *type = HTTP_REQUEST;
1619 isHttpRequestOrReply = TRUE;
1624 if (strncmp(data, "DELETE", index) == 0 ||
1625 strncmp(data, "SEARCH", index) == 0 ||
1626 strncmp(data, "UNLOCK", index) == 0 ||
1627 strncmp(data, "REPORT", index) == 0 || /* RFC 3253 3.6 */
1628 strncmp(data, "UPDATE", index) == 0) { /* RFC 3253 7.1 */
1629 *type = HTTP_REQUEST;
1630 isHttpRequestOrReply = TRUE;
1632 else if (strncmp(data, "NOTIFY", index) == 0) {
1633 *type = HTTP_NOTIFICATION;
1634 isHttpRequestOrReply = TRUE;
1639 if (strncmp(data, "BDELETE", index) == 0 ||
1640 strncmp(data, "CONNECT", index) == 0 ||
1641 strncmp(data, "OPTIONS", index) == 0 ||
1642 strncmp(data, "CHECKIN", index) == 0) { /* RFC 3253 4.4, 9.4 */
1643 *type = HTTP_REQUEST;
1644 isHttpRequestOrReply = TRUE;
1649 if (strncmp(data, "PROPFIND", index) == 0 ||
1650 strncmp(data, "CHECKOUT", index) == 0 || /* RFC 3253 4.3, 9.3 */
1651 strncmp(data, "CCM_POST", index) == 0) {
1652 *type = HTTP_REQUEST;
1653 isHttpRequestOrReply = TRUE;
1658 if (strncmp(data, "SUBSCRIBE", index) == 0) {
1659 *type = HTTP_NOTIFICATION;
1660 isHttpRequestOrReply = TRUE;
1661 } else if (strncmp(data, "PROPPATCH", index) == 0 ||
1662 strncmp(data, "BPROPFIND", index) == 0) {
1663 *type = HTTP_REQUEST;
1664 isHttpRequestOrReply = TRUE;
1669 if (strncmp(data, "BPROPPATCH", index) == 0 ||
1670 strncmp(data, "UNCHECKOUT", index) == 0 || /* RFC 3253 4.5 */
1671 strncmp(data, "MKACTIVITY", index) == 0) { /* RFC 3253 13.5 */
1672 *type = HTTP_REQUEST;
1673 isHttpRequestOrReply = TRUE;
1678 if (strncmp(data, "MKWORKSPACE", index) == 0) { /* RFC 3253 6.3 */
1679 *type = HTTP_REQUEST;
1680 isHttpRequestOrReply = TRUE;
1681 } else if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
1682 *type = HTTP_NOTIFICATION;
1683 isHttpRequestOrReply = TRUE;
1684 } else if (strncmp(data, "RPC_CONNECT", index) == 0) {
1685 *type = HTTP_REQUEST;
1686 isHttpRequestOrReply = TRUE;
1691 if (strncmp(data, "VERSION-CONTROL", index) == 0) { /* RFC 3253 3.5 */
1692 *type = HTTP_REQUEST;
1693 isHttpRequestOrReply = TRUE;
1698 if (strncmp(data, "BASELINE-CONTROL", index) == 0) { /* RFC 3253 12.6 */
1699 *type = HTTP_REQUEST;
1700 isHttpRequestOrReply = TRUE;
1708 if (isHttpRequestOrReply && reqresp_dissector) {
1709 *reqresp_dissector = basic_request_dissector;
1711 stat_info->request_method = ep_strndup(data, index+1);
1712 conv_data->request_method = se_strndup(data, index+1);
1719 return isHttpRequestOrReply;
1731 #define HDR_NO_SPECIAL 0
1732 #define HDR_AUTHORIZATION 1
1733 #define HDR_AUTHENTICATE 2
1734 #define HDR_CONTENT_TYPE 3
1735 #define HDR_CONTENT_LENGTH 4
1736 #define HDR_CONTENT_ENCODING 5
1737 #define HDR_TRANSFER_ENCODING 6
1740 static const header_info headers[] = {
1741 { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
1742 { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
1743 { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
1744 { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
1745 { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
1746 { "Content-Length", &hf_http_content_length, HDR_CONTENT_LENGTH },
1747 { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
1748 { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
1749 { "User-Agent", &hf_http_user_agent, HDR_NO_SPECIAL },
1750 { "Host", &hf_http_host, HDR_HOST },
1751 { "Connection", &hf_http_connection, HDR_NO_SPECIAL },
1752 { "Cookie", &hf_http_cookie, HDR_NO_SPECIAL },
1753 { "Accept", &hf_http_accept, HDR_NO_SPECIAL },
1754 { "Referer", &hf_http_referer, HDR_NO_SPECIAL },
1755 { "Accept-Language", &hf_http_accept_language, HDR_NO_SPECIAL },
1756 { "Accept-Encoding", &hf_http_accept_encoding, HDR_NO_SPECIAL },
1757 { "Date", &hf_http_date, HDR_NO_SPECIAL },
1758 { "Cache-Control", &hf_http_cache_control, HDR_NO_SPECIAL },
1759 { "Server", &hf_http_server, HDR_NO_SPECIAL },
1760 { "Location", &hf_http_location, HDR_NO_SPECIAL },
1761 { "Set-Cookie", &hf_http_set_cookie, HDR_NO_SPECIAL },
1762 { "Last-Modified", &hf_http_last_modified, HDR_NO_SPECIAL },
1763 { "X-Forwarded-For", &hf_http_x_forwarded_for, HDR_NO_SPECIAL },
1767 process_header(tvbuff_t *tvb, int offset, int next_offset,
1768 const guchar *line, int linelen, int colon_offset,
1769 packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr,
1770 http_conv_t *conv_data)
1773 int line_end_offset;
1782 proto_item *hdr_item;
1785 len = next_offset - offset;
1786 line_end_offset = offset + linelen;
1787 header_len = colon_offset - offset;
1788 hf_index = find_header_hf_value(tvb, offset, header_len);
1790 if (hf_index == -1) {
1792 * Not a header we know anything about. Just put it into
1796 proto_tree_add_text(tree, tvb, offset, len,
1797 "%s", format_text(line, len));
1801 * Skip whitespace after the colon.
1803 value_offset = colon_offset + 1;
1804 while (value_offset < line_end_offset
1805 && ((c = line[value_offset - offset]) == ' ' || c == '\t'))
1811 value_len = line_end_offset - value_offset;
1812 value = ep_strndup(&line[value_offset - offset], value_len);
1815 * Add it to the protocol tree as a particular field,
1816 * but display the line as is.
1819 header_field_info *hfinfo;
1822 hfinfo = proto_registrar_get_nth(*headers[hf_index].hf);
1823 switch(hfinfo->type){
1832 tmp=strtol(value, NULL, 10);
1833 hdr_item = proto_tree_add_uint(tree, *headers[hf_index].hf, tvb, offset, len, tmp);
1836 hdr_item = proto_tree_add_string_format(tree,
1837 *headers[hf_index].hf, tvb, offset, len,
1838 value, "%s", format_text(line, len));
1844 * Do any special processing that particular headers
1847 switch (headers[hf_index].special) {
1849 case HDR_AUTHORIZATION:
1850 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
1851 break; /* dissected NTLMSSP */
1852 check_auth_basic(hdr_item, tvb, value);
1855 case HDR_AUTHENTICATE:
1856 check_auth_ntlmssp(hdr_item, tvb, pinfo, value);
1859 case HDR_CONTENT_TYPE:
1860 eh_ptr->content_type = (gchar*) ep_memdup((guint8*)value,value_len + 1);
1862 for (i = 0; i < value_len; i++) {
1864 if (c == ';' || isspace(c)) {
1866 * End of subtype - either
1867 * white space or a ";"
1868 * separating the subtype from
1875 * Map the character to lower case;
1876 * content types are case-insensitive.
1878 eh_ptr->content_type[i] = tolower(eh_ptr->content_type[i]);
1880 eh_ptr->content_type[i] = '\0';
1882 * Now find the start of the optional parameters;
1883 * skip the optional white space and the semicolon
1884 * if this has not been done before.
1887 while (i < value_len) {
1888 c = eh_ptr->content_type[i];
1889 if (c == ';' || isspace(c))
1890 /* Skip till start of parameters */
1896 eh_ptr->content_type_parameters = eh_ptr->content_type + i;
1898 eh_ptr->content_type_parameters = NULL;
1901 case HDR_CONTENT_LENGTH:
1902 eh_ptr->content_length = strtol(value, &p, 10);
1904 if (eh_ptr->content_length < 0 || p == value ||
1905 (*up != '\0' && !isspace(*up))) {
1907 * Content length not valid; pretend
1910 eh_ptr->have_content_length = FALSE;
1913 * We do have a valid content length.
1915 eh_ptr->have_content_length = TRUE;
1919 case HDR_CONTENT_ENCODING:
1920 eh_ptr->content_encoding = ep_strndup(value, value_len);
1923 case HDR_TRANSFER_ENCODING:
1924 eh_ptr->transfer_encoding = ep_strndup(value, value_len);
1928 stat_info->http_host = ep_strndup(value, value_len);
1929 conv_data->http_host = se_strndup(value, value_len);
1936 /* Returns index of header tag in headers */
1938 find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
1942 for (i = 0; i < array_length(headers); i++) {
1943 if (header_len == strlen(headers[i].name) &&
1944 tvb_strncaseeql(tvb, offset,
1945 headers[i].name, header_len) == 0)
1953 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
1956 check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
1959 static const char *ntlm_headers[] = {
1964 const char **header;
1966 proto_tree *hdr_tree;
1969 * Check for NTLM credentials and challenge; those can
1970 * occur with WWW-Authenticate.
1972 for (header = &ntlm_headers[0]; *header != NULL; header++) {
1973 hdrlen = strlen(*header);
1974 if (strncmp(value, *header, hdrlen) == 0) {
1975 if (hdr_item != NULL) {
1976 hdr_tree = proto_item_add_subtree(hdr_item,
1981 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
1989 * Dissect HTTP Basic authorization.
1992 check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
1994 static const char *basic_headers[] = {
1998 const char **header;
2000 proto_tree *hdr_tree;
2003 for (header = &basic_headers[0]; *header != NULL; header++) {
2004 hdrlen = strlen(*header);
2005 if (strncmp(value, *header, hdrlen) == 0) {
2006 if (hdr_item != NULL) {
2007 hdr_tree = proto_item_add_subtree(hdr_item,
2013 len = epan_base64_decode(value);
2015 proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
2025 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2027 http_conv_t *conv_data;
2032 * Check if this is proxied connection and if so, hand of dissection to the
2033 * payload-dissector.
2034 * Response code 200 means "OK" and strncmp() == 0 means the strings match exactly */
2035 conv_data = get_http_conversation_data(pinfo);
2036 if(pinfo->fd->num >= conv_data->startframe &&
2037 conv_data->response_code == 200 &&
2038 conv_data->request_method &&
2039 strncmp(conv_data->request_method, "CONNECT", 7) == 0 &&
2040 conv_data->request_uri) {
2041 if(conv_data->startframe == 0 && !pinfo->fd->flags.visited)
2042 conv_data->startframe = pinfo->fd->num;
2043 http_payload_subdissector(tvb, tree, pinfo, conv_data);
2045 while (tvb_reported_length_remaining(tvb, offset) != 0) {
2046 len = dissect_http_message(tvb, offset, pinfo, tree, conv_data);
2052 * OK, we've set the Protocol and Info columns for the
2053 * first HTTP message; make the columns non-writable,
2054 * so that we don't change it for subsequent HTTP messages.
2056 col_set_writable(pinfo->cinfo, FALSE);
2062 dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2064 http_conv_t *conv_data;
2066 conv_data = get_http_conversation_data(pinfo);
2067 dissect_http_message(tvb, 0, pinfo, tree, conv_data);
2070 static void range_delete_http_tcp_callback(guint32 port) {
2071 dissector_delete("tcp.port", port, http_handle);
2074 static void range_add_http_tcp_callback(guint32 port) {
2075 dissector_add("tcp.port", port, http_handle);
2078 static void range_delete_http_ssl_callback(guint32 port) {
2079 ssl_dissector_delete(port, "http", TRUE);
2082 static void range_add_http_ssl_callback(guint32 port) {
2083 ssl_dissector_add(port, "http", TRUE);
2086 static void reinit_http(void) {
2087 range_foreach(http_tcp_range, range_delete_http_tcp_callback);
2088 g_free(http_tcp_range);
2089 http_tcp_range = range_copy(global_http_tcp_range);
2090 range_foreach(http_tcp_range, range_add_http_tcp_callback);
2092 range_foreach(http_ssl_range, range_delete_http_ssl_callback);
2093 g_free(http_ssl_range);
2094 http_ssl_range = range_copy(global_http_ssl_range);
2095 range_foreach(http_ssl_range, range_add_http_ssl_callback);
2099 proto_register_http(void)
2101 static hf_register_info hf[] = {
2102 { &hf_http_notification,
2103 { "Notification", "http.notification",
2104 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2105 "TRUE if HTTP notification", HFILL }},
2106 { &hf_http_response,
2107 { "Response", "http.response",
2108 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2109 "TRUE if HTTP response", HFILL }},
2111 { "Request", "http.request",
2112 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2113 "TRUE if HTTP request", HFILL }},
2115 { "Credentials", "http.authbasic",
2116 FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
2117 { &hf_http_request_method,
2118 { "Request Method", "http.request.method",
2119 FT_STRING, BASE_NONE, NULL, 0x0,
2120 "HTTP Request Method", HFILL }},
2121 { &hf_http_request_uri,
2122 { "Request URI", "http.request.uri",
2123 FT_STRING, BASE_NONE, NULL, 0x0,
2124 "HTTP Request-URI", HFILL }},
2126 { "Request Version", "http.request.version",
2127 FT_STRING, BASE_NONE, NULL, 0x0,
2128 "HTTP Request HTTP-Version", HFILL }},
2129 { &hf_http_response_code,
2130 { "Response Code", "http.response.code",
2131 FT_UINT16, BASE_DEC, NULL, 0x0,
2132 "HTTP Response Code", HFILL }},
2133 { &hf_http_authorization,
2134 { "Authorization", "http.authorization",
2135 FT_STRING, BASE_NONE, NULL, 0x0,
2136 "HTTP Authorization header", HFILL }},
2137 { &hf_http_proxy_authenticate,
2138 { "Proxy-Authenticate", "http.proxy_authenticate",
2139 FT_STRING, BASE_NONE, NULL, 0x0,
2140 "HTTP Proxy-Authenticate header", HFILL }},
2141 { &hf_http_proxy_authorization,
2142 { "Proxy-Authorization", "http.proxy_authorization",
2143 FT_STRING, BASE_NONE, NULL, 0x0,
2144 "HTTP Proxy-Authorization header", HFILL }},
2145 { &hf_http_proxy_connect_host,
2146 { "Proxy-Connect-Hostname", "http.proxy_connect_host",
2147 FT_STRING, BASE_NONE, NULL, 0x0,
2148 "HTTP Proxy Connect Hostname", HFILL }},
2149 { &hf_http_proxy_connect_port,
2150 { "Proxy-Connect-Port", "http.proxy_connect_port",
2151 FT_UINT16, BASE_DEC, NULL, 0x0,
2152 "HTTP Proxy Connect Port", HFILL }},
2153 { &hf_http_www_authenticate,
2154 { "WWW-Authenticate", "http.www_authenticate",
2155 FT_STRING, BASE_NONE, NULL, 0x0,
2156 "HTTP WWW-Authenticate header", HFILL }},
2157 { &hf_http_content_type,
2158 { "Content-Type", "http.content_type",
2159 FT_STRING, BASE_NONE, NULL, 0x0,
2160 "HTTP Content-Type header", HFILL }},
2161 { &hf_http_content_length,
2162 { "Content-Length", "http.content_length",
2163 FT_UINT32, BASE_DEC, NULL, 0x0,
2164 "HTTP Content-Length header", HFILL }},
2165 { &hf_http_content_encoding,
2166 { "Content-Encoding", "http.content_encoding",
2167 FT_STRING, BASE_NONE, NULL, 0x0,
2168 "HTTP Content-Encoding header", HFILL }},
2169 { &hf_http_transfer_encoding,
2170 { "Transfer-Encoding", "http.transfer_encoding",
2171 FT_STRING, BASE_NONE, NULL, 0x0,
2172 "HTTP Transfer-Encoding header", HFILL }},
2173 { &hf_http_user_agent,
2174 { "User-Agent", "http.user_agent",
2175 FT_STRING, BASE_NONE, NULL, 0x0,
2176 "HTTP User-Agent header", HFILL }},
2178 { "Host", "http.host",
2179 FT_STRING, BASE_NONE, NULL, 0x0,
2180 "HTTP Host", HFILL }},
2181 { &hf_http_connection,
2182 { "Connection", "http.connection",
2183 FT_STRING, BASE_NONE, NULL, 0x0,
2184 "HTTP Connection", HFILL }},
2186 { "Cookie", "http.cookie",
2187 FT_STRING, BASE_NONE, NULL, 0x0,
2188 "HTTP Cookie", HFILL }},
2190 { "Accept", "http.accept",
2191 FT_STRING, BASE_NONE, NULL, 0x0,
2192 "HTTP Accept", HFILL }},
2194 { "Referer", "http.referer",
2195 FT_STRING, BASE_NONE, NULL, 0x0,
2196 "HTTP Referer", HFILL }},
2197 { &hf_http_accept_language,
2198 { "Accept-Language", "http.accept_language",
2199 FT_STRING, BASE_NONE, NULL, 0x0,
2200 "HTTP Accept Language", HFILL }},
2201 { &hf_http_accept_encoding,
2202 { "Accept Encoding", "http.accept_encoding",
2203 FT_STRING, BASE_NONE, NULL, 0x0,
2204 "HTTP Accept Encoding", HFILL }},
2206 { "Date", "http.date",
2207 FT_STRING, BASE_NONE, NULL, 0x0,
2208 "HTTP Date", HFILL }},
2209 { &hf_http_cache_control,
2210 { "Cache-Control", "http.cache_control",
2211 FT_STRING, BASE_NONE, NULL, 0x0,
2212 "HTTP Cache Control", HFILL }},
2214 { "Server", "http.server",
2215 FT_STRING, BASE_NONE, NULL, 0x0,
2216 "HTTP Server", HFILL }},
2217 { &hf_http_location,
2218 { "Location", "http.location",
2219 FT_STRING, BASE_NONE, NULL, 0x0,
2220 "HTTP Location", HFILL }},
2221 { &hf_http_set_cookie,
2222 { "Set-Cookie", "http.set_cookie",
2223 FT_STRING, BASE_NONE, NULL, 0x0,
2224 "HTTP Set Cookie", HFILL }},
2225 { &hf_http_last_modified,
2226 { "Last-Modified", "http.last_modified",
2227 FT_STRING, BASE_NONE, NULL, 0x0,
2228 "HTTP Last Modified", HFILL }},
2229 { &hf_http_x_forwarded_for,
2230 { "X-Forwarded-For", "http.x_forwarded_for",
2231 FT_STRING, BASE_NONE, NULL, 0x0,
2232 "HTTP X-Forwarded-For", HFILL }},
2234 static gint *ett[] = {
2238 &ett_http_chunked_response,
2239 &ett_http_chunk_data,
2240 &ett_http_encoded_entity,
2242 module_t *http_module;
2244 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
2246 proto_register_field_array(proto_http, hf, array_length(hf));
2247 proto_register_subtree_array(ett, array_length(ett));
2248 register_dissector("http", dissect_http, proto_http);
2249 http_module = prefs_register_protocol(proto_http, reinit_http);
2250 prefs_register_bool_preference(http_module, "desegment_headers",
2251 "Reassemble HTTP headers spanning multiple TCP segments",
2252 "Whether the HTTP dissector should reassemble headers "
2253 "of a request spanning multiple TCP segments. "
2254 "To use this option, you must also enable "
2255 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2256 &http_desegment_headers);
2257 prefs_register_bool_preference(http_module, "desegment_body",
2258 "Reassemble HTTP bodies spanning multiple TCP segments",
2259 "Whether the HTTP dissector should use the "
2260 "\"Content-length:\" value, if present, to reassemble "
2261 "the body of a request spanning multiple TCP segments, "
2262 "and reassemble chunked data spanning multiple TCP segments. "
2263 "To use this option, you must also enable "
2264 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2265 &http_desegment_body);
2266 prefs_register_bool_preference(http_module, "dechunk_body",
2267 "Reassemble chunked transfer-coded bodies",
2268 "Whether to reassemble bodies of entities that are transfered "
2269 "using the \"Transfer-Encoding: chunked\" method",
2270 &http_dechunk_body);
2272 prefs_register_bool_preference(http_module, "decompress_body",
2273 "Uncompress entity bodies",
2274 "Whether to uncompress entity bodies that are compressed "
2275 "using \"Content-Encoding: \"",
2276 &http_decompress_body);
2278 prefs_register_obsolete_preference(http_module, "tcp_alternate_port");
2280 range_convert_str(&global_http_tcp_range, TCP_DEFAULT_RANGE, 65535);
2281 http_tcp_range = range_empty();
2282 prefs_register_range_preference(http_module, "tcp.port", "TCP Ports",
2284 &global_http_tcp_range, 65535);
2286 range_convert_str(&global_http_ssl_range, SSL_DEFAULT_RANGE, 65535);
2287 http_ssl_range = range_empty();
2288 prefs_register_range_preference(http_module, "ssl.port", "SSL/TLS Ports",
2289 "SSL/TLS Ports range",
2290 &global_http_ssl_range, 65535);
2292 http_handle = create_dissector_handle(dissect_http, proto_http);
2295 * Dissectors shouldn't register themselves in this table;
2296 * instead, they should call "http_dissector_add()", and
2297 * we'll register the port number they specify as a port
2298 * for HTTP, and register them in our subdissector table.
2300 * This only works for protocols such as IPP that run over
2301 * HTTP on a specific non-HTTP port.
2303 port_subdissector_table = register_dissector_table("http.port",
2304 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
2307 * Dissectors can register themselves in this table.
2308 * It's just "media_type", not "http.content_type", because
2309 * it's an Internet media type, usable by other protocols as well.
2311 media_type_subdissector_table =
2312 register_dissector_table("media_type",
2313 "Internet media type", FT_STRING, BASE_NONE);
2316 * Heuristic dissectors SHOULD register themselves in
2317 * this table using the standard heur_dissector_add()
2320 register_heur_dissector_list("http", &heur_subdissector_list);
2323 * Register for tapping
2325 http_tap = register_tap("http"); /* HTTP statistics tap */
2326 http_eo_tap = register_tap("http_eo"); /* HTTP Export Object tap */
2330 * Called by dissectors for protocols that run atop HTTP/TCP.
2333 http_dissector_add(guint32 port, dissector_handle_t handle)
2336 * Register ourselves as the handler for that port number
2339 dissector_add("tcp.port", port, http_handle);
2342 * And register them in *our* table for that port.
2344 dissector_add("http.port", port, handle);
2348 proto_reg_handoff_http(void)
2350 dissector_handle_t http_udp_handle;
2352 data_handle = find_dissector("data");
2353 media_handle = find_dissector("media");
2356 * XXX - is there anything to dissect in the body of an SSDP
2357 * request or reply? I.e., should there be an SSDP dissector?
2359 http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
2360 dissector_add("udp.port", UDP_PORT_SSDP, http_udp_handle);
2362 ntlmssp_handle = find_dissector("ntlmssp");
2363 gssapi_handle = find_dissector("gssapi");
2365 stats_tree_register("http","http","HTTP/Packet Counter", http_stats_tree_packet, http_stats_tree_init, NULL );
2366 stats_tree_register("http","http_req","HTTP/Requests", http_req_stats_tree_packet, http_req_stats_tree_init, NULL );
2367 stats_tree_register("http","http_srv","HTTP/Load Distribution",http_reqs_stats_tree_packet,http_reqs_stats_tree_init, NULL );
2372 * Content-Type: message/http
2375 static gint proto_message_http = -1;
2376 static gint ett_message_http = -1;
2377 static dissector_handle_t message_http_handle;
2380 dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2382 proto_tree *subtree;
2384 gint offset = 0, next_offset;
2387 if (check_col(pinfo->cinfo, COL_INFO))
2388 col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
2390 ti = proto_tree_add_item(tree, proto_message_http,
2392 subtree = proto_item_add_subtree(ti, ett_message_http);
2393 while (tvb_reported_length_remaining(tvb, offset) != 0) {
2394 len = tvb_find_line_end(tvb, offset,
2395 tvb_ensure_length_remaining(tvb, offset),
2396 &next_offset, FALSE);
2399 proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
2400 "%s", tvb_format_text(tvb, offset, len));
2401 offset = next_offset;
2407 proto_register_message_http(void)
2409 static gint *ett[] = {
2413 proto_message_http = proto_register_protocol(
2414 "Media Type: message/http",
2418 proto_register_subtree_array(ett, array_length(ett));
2422 proto_reg_handoff_message_http(void)
2424 message_http_handle = create_dissector_handle(dissect_message_http,
2425 proto_message_http);
2427 dissector_add_string("media_type", "message/http", message_http_handle);
git.samba.org / obnox / wireshark / wip.git / blob